Dane testing and posttls-finger ???

John Allen john at klam.ca
Sat Apr 11 04:30:25 CEST 2015

>      1. MTAs should run their own caching resolvers, even if they forward
>         to another caching resolver upstream (e.g.
I used to run a local caching server, but ran into a problem when I 
first started using DNSSEC. To make life a little easier while sorting 
out the DNSSEC problems I got rid of it.
reinstated as of today.
using posttls-finger now produces expected results.
>      2. If you are doing any RBL lookups, you must not make them via an
>         upstream forwarder (avoid looking up RBLs via and friends).
A little thought and this is obvious.
>      3. If you want any security from DANE when sending outbound
>         email to remote domains, you MUST use a local
>         resolver that validates DNSSEC record signatures for itself.
done, but why?
>         If you're not using 'smtp_tls_security_level = dane', then
>         the local resolver is not essential for security, but is still
>         a good idea.

More information about the dane-users mailing list